Hi,

I’m having a hard time figuring out how to whitelist events from specific ASNNumber.

I created a postoverflow whitelist in /etc/crowdsec/postoverflows/s01-whitelist/zz-whitelist-AS.yaml and tried various expressions without success.

Here are the ones that pass the compilation, but the ASNumber seems to be empty at runtime:

name: zz-whitelist-AS
description: Whitelist some AS
debug: true
whitelist:
  reason: Whitelisted AS
  expression:
    - evt.Enriched.ASNNumber in [3215, 15557, 12322, 5410] 
    - evt.Meta.ASNNumber in [3215, 15557, 12322, 5410]
    - evt.Overflow.Sources.AsNumber in [3215, 15557, 12322, 5410]

Here is the debug output from theses expressions:

• evt.Enriched.ASNumber → level=debug msg=" evt.Enriched.ASNNumber = ''"
• evt.Meta.ASNNumber → msg=" evt.Meta.ASNNumber = ''"
• evt.Overflow.Sources.AsNumber → msg=" evt.Overflow.Sources.AsNumber = '{ 0 0 <nil> <nil>}'"

Is it possible to whitelist events based on ASNNumber?

Thanks.

Hello @eguaj ,

You can do it by accessing the AS Number in postoverflow in evt.Overflow.Alert.Source.AsNumber .

Hope it helps!

Thank you, it works!

I also had to change the AS numbers to strings (i.e. '3215' instead of 3215`):

name: zz-whitelist-AS
description: Whitelist some AS
debug: true
whitelist:
  reason: Whitelisted AS
  expression:
    - evt.Overflow.Alert.Source.AsNumber in ['3215', '15557', '12322', '5410']